| The Three Lines Model has replaced previously known Three Lines of Defense model in July 2020. This updated Model helps organizations identify structures and processes that help in achievement of objectives and facilitate better governance and risk management. The model applies to all organizations and is optimized by: – Adopting a more flexible principles-based approach suiting objectives and environment of the organization. – Concurrent focus on contribution risk management as well as to matters of “defense” and protecting value. – Explaining the roles and responsibilities and the relationships among them. – Creating enablers to ensure activities and objectives are aligned to achieve key / prioritized interests of stakeholders. |
The Three Lines Model lays down 6 principles:
Principle 1: Governance of an organization requires appropriate enabling structures and processes.
Principle 2: Governing body’s role is to create enablers for governance and align entity objectives to stakeholders’ expectations.
Principle 3: Management is responsible to achieve organizational objectives through first and second line roles.
Principle 4: Internal audit provides independent and objective assurance and advice as Third line role
Principle 5: Internal audit is independence from management
Principle 6: All roles are working together to collectively contribute to the creation and protection of value
How the model function
Structure, roles, and responsibilities
For being most effective, the ‘Three Lines of Defense Model’ is required to be configured and implemented in line with the goals and environment of the entity. Management and Governing body of the organization ascertains its structure and assigning of roles and responsibilities though appropriate delegation.
The management may set up role specific committees to provide desired supervision for relevant dimensions – like responsibility, audit, risk, finance, planning, and compensation / remuneration. Within management, there would be operational and line (command) arrangements when entities are more obsessed toward specialization in view of growing size and complexity of the organizations.
Various departments, teams, and even individuals might have been assigned responsibilities consisting of roles that are covering the activities which falls on first and second lines. Through efficient management of the roles, direction and oversight under the second line roles may be configured in a manner that secures required level of independence from those with first line roles — and even from the most senior levels of management. But the same requires establishing primary accountability and reporting lines to the governing body.
Updated ‘Three Lines Model’ permits creation of as many reporting lines between management and the governing body as required according to the need of the organization. In some organizations, especially the regulated financial institutions, creation of such multiple lines is mandated by the regulatory body (like RBI or NHB) to ensure sufficient degree of independence. But even in these scenarios, those charged with management at first line roles are primarily responsible for managing risk.
Those managing the second line roles would perform monitoring, advice, guidance, testing, analyzing, and reporting on matters related to the management of risk. As such these functions provide support and challenge to those responsible for the first line roles and plays pivotal role in management decisions and actions. Further, these second line roles are as such part of management’s key responsibilities. These are not independent from management, irrespective of reporting lines and accountabilities.
The key characteristic of the third line roles is their independence from those responsible for management. The six principles of the ne ‘Three Lines Model’ explains the importance and nature of independence of internal audit function, establishing internal audit separately from other functions and enabling the distinctive value of its assurance and advice.
Independence of internal audit function is protected and ensured by
- Not making decisions or taking actions that are part of management’s responsibilities (including risk management); and
- Not provide assurance on those activities for which internal auditor is currently responsible or was responsible in recent past.
Indian business environment is full of examples wherein the Internal Audit Manager is discharging additional decision-making responsibilities over activities utilizing similar competencies, like certain aspects of statutory compliance or ERM. Under such conditions, internal audit is not independent of these activities or of their results. Accordingly, an independent and qualified third party may be roped in when the governing body is looking for independent and objective assurance and advice relating to those areas.
Assurance and Oversight
The Board of Directors relies on the information and reports from management – consisting of designated officials performing first and second line roles, internal auditors (i.e. the third line), and others responsible officials in order to exercise oversight and achievement of its objectives assigned by stakeholders.
Management provides desired level of assurance on key areas – like budgets and plans, actual performance, projections, types of risk (existence), and risk management by using its experience and expertise of their respective domain. The second line role officials provide additional assurance on risk-related matters. The assurance provided by internal auditors (which is independence from management) carries the highest degree of objectivity and confidence. Irrespective of reporting lines, the level of objectivity and confidence is far above the level which is normally provided by those responsible for the first and second line roles.
Alignment and Coordination
Appropriate delegation of responsibilities and strong alignment of activities through cooperation, collaboration, and communication is the key for effective governance requires. The Board of Directors obtains objective confirmation through internal audit that governance structures and processes are appropriately designed and operating as intended (through various reports). One such format mandated by law is report on Internal Financial Control (IFC) in India.